Linux Security - Hardening your System

The number of Linux new users is growing every day. More and more home users are discovering Linux Desktop. People are moving to Linux for many reason, such as:

• Linux is an Open Source and Free OS, you can get the kernel or a distribution full of packages (Debian, for instance, has over 15490 packages) and customise/modify them to your needs
• Linux is also in many cases free of charge. You can get very stable, well supported (an worldwide user community to help you for free), constantly updated and, new hardware and software additions are a constant under Linux. Refer to Debian, Ubuntu, Fedora, gNewSense, Gentoo, Suse. For a complete list of Linux Distribution, please, follow this link.
• Stability. Linux is rock solid and does not crash often.
• Security. Linux is very secure. There are no viruses, worms or Trojan horses for Linux.

I could add many other reasons why people move to Linux. However, to the interest of this article, I will stop here and, concentrate my discussion in the last two items, Linux is stable and secure.

The concept that Linux is a secure OS per se, in my opinion, is a very dangerous assumption. And, why do I consider it a dangerous assumption? Because as in any software Linux and the softwares that run on it have bugs and vulnerabilities, which can be exploited by a hacker trying to break into your system. And, most distributions are not enough hardened to be connected to the Wild (Internet). Most distributions don't have at least a Firewall, anti-virus, IPS (intruder prevention system) set up and running by default. And, in some cases there unnecessary services up and listening to connections. And, to worsen the situation the user starts installing programs that he/she doesn't know are listening for external connections. To conclude my line of thought, in spite of Linux being a secure OS it does not mean that someone should simply download a distribution, install it and start "surfing" the Internet, or the Wild as prefer to call it, without ever hardening the system and keeping it updated. This is true specially to the home user. Corporate user, normally, has or should have a security personnel in charge of information system and network security.

Therefore, I intend to write a series of articles to help Linux new users (or not so new either) to harden their system and keep it secure. The first article in this series will be "Installation and Set up of Linux Firewall and Anti-virus". In sequence, I will discussion and introduce quick fixes for some common deadly sins: weak and default passwords, open network ports, old software versions, insecure and badly configured programs, insufficient resources and misplaced priorities, stale and unnecessary accounts. Furthermore, I'll present secure tunnels to protect your outgoing network connections, how to protect your email, how to protect your files, intrusion detection and prevention. And, if you've read the articles in this series too late, you will benefit from the articles in the series Recovery and Response.

I'll release the first article on Saturday, Jan. 20th and I'll always announce the article that will follow.

I hope those articles will help you keep your system secure and contribute to your joy of using Linux.

Tweaking your Firefox

You get to work early and, start your day by checking your e-mail, reading some news and writing some posts on your blog.

Most of the above mentioned activities are done on your web browser. An essential tool nowadays. However, your day is just starting. You're eager to write a new post on your blog, but the browser is taking an eternity to load your blog web page. And, your gmail page is still "Loading...".

How many of us haven't faced this situation so often? Probably, too many.

However, with a few tweaks you can improve the performance of your firefox and, load page faster than usual. Here are some tips and tricks to get you started.

First of all, you should back up the entiry firefox profile directory. Under Linux it is located in your home directory, something like that:

~/.mozilla/firefox/[some_numbers_and_letter].default

Back up the whole directory as follows:

cd ~/.mozilla/firefox

tar -cjvf firefox-prof-bak.tar.bz2 [some_numbers_and_letter].default

Now, you're able to stat tweaking your Browser.

Open your browser, if it is not opened and, follow these steps:

1. Type about:config in your address bar. This will open Firefox built in configurator;
2. In the filter bar type http. This filter the options and only displays http flags;
3. Change: network.http.pipelining to true by double clicking;
4. Change: network.http.pipelining.maxrequests to 8 by double clicking then entering the new value in the box;
5. Change: network.http.proxy.pipelining to true by double clicking
6. Change: network.http.max-persistant-connections-per-proxy to 8
7. Change: network.http.max-persistant-connections-per-server to 8
8. Change: network.http.max-connections to 48
9. Right-Click anywhere in the configurator and add a new integer. The name of this must be nglayout.initialpaint.delay and a value of 0
10. Restart Firefox by closing all windows and tabs and then reopening Firefox for the changes to become effective.

Now, your browser should load pages faster than before. In fact, what it is doing is open many connections to the server and dowloading contents in parallel instead of opening just one connection per server and downloading the entire content within one connection.

The meaning of the parameters you have just changed are:

network.http.pipelining [Boolean] (True) - If set to True, this setting uses the new HTTP Pipelining feature supported by some servers and proxies. This can improve browsing speeds, however because the feature is not supported by all servers you may experience problems. I recommend setting this to True and only disabling it if you experience such problems as refused connections or unusual behavior.

network.http.pipelining.maxrequests [Integer] (8) - This setting determines the maximum number of requests to send when using the HTTP Pipelining feature (see above). The default is 4, and the maximum possible is 8 (higher values are ignored). I recommend setting this to 8 and only reducing it back to 4 if you experience any problems with the Pipelining feature.

network.http.proxy.pipelining [Boolean] (True) - If set to True, this setting enables the HTTP Pipelining feature (see network.http.pipelining above) for proxy servers. This can improve browsing speeds, however because the feature is not supported by all proxies you may experience problems. I recommend setting this to True and only disabling it if you experience such problems as refused connections or unusual behavior.

network.http.max-persistent-connections-per-proxy [Integer] (8) - If you are connected to a proxy, this setting determines how many connections to keep alive at any time. The default is 4, however you can attempt a higher value such as 8 to improve browser speed. As mentioned in the settings above, raising this to a very high value will put additional stress on the proxy server and may ultimately result in slower browsing for everyone on the proxy and/or a refused connection.

network.http.max-persistent-connections-per-server [Integer] (8) - If you are not connected to a proxy, this setting determines how many connections to a single server to keep alive at any time. The default is 2, however you can attempt a higher value such as 8 to improve browser speed. As mentioned in the settings above, raising this to a very high value will put stress on the particular website server you are connected to and will either result in a refused connection, or slower response times from the web page for every person trying to connect to it. Do not raise this value to one which is very high as it is inconsiderate and counter-productive if everyone does so.rong.

network.http.max-connections [Integer] (48) - This setting determines how many simultaneous HTTP connections can be made by Firefox. The default is already 24, however for most people on moderate to fast Internet connections you can try raising this to a value like 48 or even 96 to allow for more open connections, thereby speeding up browsing multiple pages. The maximum is 65535, but remember that by raising this setting you are only raising the maximum possible number of connections. You aren't forcing Firefox to increase the actual number of connections it makes every time; if your system actually attempted to force 300 connections to open at once for example it would likely slow down to a crawl.

nglayout.initialpaint.delay [Integer] (0) - This setting determines how many milliseconds Firefox should way before it starts to display the page contents. This brief delay allows Firefox to load and arrange the various page components as correctly as possible. The default is 250 milliseconds which isn't very long, however I recommend you set this to 0 to provide the earliest possible viewing of web content and improve the responsive feel of Firefox.

If your the hacker style, here are some links that will help go deeper in your tweaking:

http://www.tweakguides.com/Firefox_9.html

http://www.tweakfirefox.com/tweaks.php

http://kb.mozillazine.org/About:config_entries#Extensions..2A

http://firefox.stealthsettings.com/advanced-tweaking-firefox-20.html

Happy browsing,

Itzhak

Cross-Compiling GDB on Linux for Powerpc Platform

I'm a Software Engineer working with Embedded Systems. Currently, I'm working with Powerpc SoC Processor - AMC-440EP.

When I first started working in this project I built my Development Environment, which includes PowerPC toolchain, Linux Kernel and root file system plus some extra libraries I need in my project. However, at this stage I forgot to build with my toolchain a PowerPC Debugger. Thus, I have to cross-compile gdb (http://www.gnu.org/software/gdb/) and gdbserver for remote debugging.

The steps to cross-compile GDB are:

Download the latest GDB version from http://www.gnu.org/software/gdb/download/

Decompress the tarball you have just downloaded:

tar -xjvf gdb-6.6.tar.bz2

cd gdb-6.6

Run the configuration script as follows:

./configure --target=powerpc-linux --enable-sim-powerpc \

--enable-sim-hostendian=little \

--with-solib-absolute-prefix=/path/to/libdir \ (to ensure it'll use the right libraries)

--prefix=/path/to/the/installation/of/toolchain

make

make install

Then, change directory to:

cd ./gdb/gdbserver

Run the configuration script for gdbserver:

export CC=powerpc-440-linux-gnu-gcc

./configure --host=powerpc-linux \ --prefix=path/to/the/installation/of/toolchain

make

make install

That's all. No, you have a functional powerpc cross-compiled gdb and gdbserver. You can start debugging your powerpc embedded application.

Cheers,

Itzhak

Drupal 5.0 Released

The Drupal team has just released a new version of the popular CMS.

Read the full story here and check out what's new on Drupal.

Open Source Office Suite Solution

It's never enough to say that the open source community offers a huge amount of software that can make your life easier and, even better. ;-)

You don't need to pay hundreds of dollars for an Office Suite pack. The is an open source alternative that is up to fulfill all your needs. OpenOffice is a multiplatform and multilingual office suite and an open-source project. Compatible with all other major office suites, the product is free to download, use, and distribute. OpenOffice can read documents saved in several file formats including Microsoft Office. And, OpenOffice can save your documents in several file formats, as well. Therefore, you can create a presentation and save it in Microsoft Powerpoint format (*.ppt) and, send it to your friend that doesn't have OpenOffice installed yet, to read it on MS Powerpoint.

It's multiplatfom: Currently OpenOffice support includes Microsoft Windows, GNU/Linux ("Linux"), Sun Solaris, Mac OS X (under X11), and FreeBSD.

It's very easy to install. Download OpenOffice from here, for your specific platform.

To install it on Windows XP follow these short steps:

1. Download and install Java JRE if you need the features that are Java
   dependent. More information on Java & OpenOffice.org.
2. As you have already downloaded OpenOffice from www.openoffice.org.
3. Open to Windows Explorer find the file and double-click to launch the unpacking and installation program.
4. The Welcome window is displayed to note that you have downloaded OpenOffice.org 2.1. Click Next to continue.
5. The Select Folder window is displayed. Accept the folder name displayed in the text box or enter the name of the folder in which to save the unpacked files, and click Unpack.
6. Once the files are unpacked, the OpenOffice.org 2.1 Installation Wizard is displayed. Click Next to continue installing OpenOffice.org 2.1.Follow the prompts, and OpenOffice.org will be installed on your system, ready for use.
7. Read the information in the Welcome window and then click Next.The License Agreement window appears.Note: You will need to use the scroll bar to view all of the license text If you do not wish to accept the license, you will be prompted to confirm this before the installation programme closes.
8. Read the license, select "I accept the terms in the license agreement", and click Next.The Customer Information window appears.You may leave this form blank, or enter your User Name and if applicable, Organisation.Note: If you logged in as administrator you will be prompted to install for all users.
9. Complete Customer Information form and click Next.The Setup Type window appears.
10. Select a setup type (we recommend Complete) and click Next.The File Type window is displayed.
11. Select the file types that you wish to open with the OpenOffice.org program.The default configuration is that all the file types are selected. This means that the OpenOffice.org programme will start when these file types are opened. De-select (click on the ticks) to view, edit and print these file types with your existing word processing, spreadsheet or presentation program.Note: If you change your mind, returning to the prior state is tedious. You will need to reassociate all word processing, spreadsheet or presentation files with the appropriate file type. To read more, please see the file associations FAQ on the OpenOffice.org web site.You can use file types not associated with OpenOffice.org, by starting Openoffice.org then open the file by choosing Open from the File menu.
12. Once you have selected the file types click Next.The Ready to Install the Program window is displayed.
13. Click the Back button to return to previous windows to change your installation options, otherwise click Install to begin the installation process.
14. Click the Finish button when the Installation Wizard Finished window is displayed.
15. If you logged in as administrator, logout. Each user can then invoke OpenOffice.org from the program menu which will allow the user to configure OpenOffice.org as a workstation copy with no further effort on the part of the user.

A more extensive (which covers a wider variety of operating systems in great depth) setup guide is available in PDF format here: Extensive setup guide.

• Windows
  • File Associations
• Linux
  • Packages for Linux Distributions
• Apple

---

Run OpenOffice.org to ensure that the installation was successful.
When you first run OpenOffice.org after a successfully installing the program, you will be prompted to accept the license, enter your user name and register your copy.

1. Login using your user account, and if you installed OpenOffice.org successfully it will appear on the Programs sub-menu of the Start menu.
2. Click on one of the OpenOffice.org components (we recommend Writer). The Welcome window is displayed.
3. Click Next to display the License Agreement window.
4. Scroll to read the license and click Accept to continue. The Transfer personal data window is displayed.If you wish to reuse personal data from a previous installation click NextIf you do not wish to reuse any settings from a previous installed version, unmark the checkbox and click Next.
5. The user information window is displayed.You are prompted to enter your name. This is used in the document properties, templates and when you record changes made to documents. This is useful if you are working on a document with others, but you don't need to complete this information in order to proceed. This information can also be entered later when using the program.
6. Complete the form and click Next to display the Registration window.You will need to be connected to the internet if you select "I want to register now" and click Finish. Your browser will display a welcome message on the OpenOffice.org web site and then redirect you to a user survey page.If you are not connected to the internet, you can choose to register later.Registration of OpenOffice.org and completion of the user survey is optional and is not required for you to ensure full use of OpenOffice.org.Note: Registration of the OpenOffice.org programme is completely separate to subscribing to various OpenOffice.org mailing lists and registering yourself with the www.openoffice.org site to submit bugs, enhancement requests and contribute to projects.

Remark: The installation steps above is a citation to http://download.openoffice.org/2.1.0/instructions.html

Once you have OpenOffice installed and running, we can read some tutorials online. Here is the link to some good ones:

http://www.tutorialsforopenoffice.org/

http://documentation.openoffice.org/

With funding from the U.S. Department of Education Inpics has placed several tutorials for OpenOffice.org online:

Writer , Calc, Base database tool and Impress, the presentation tool.

Bounty offered for Vista, IE flaws

VeriSign's security arm iDefense announced this week that the company would pay independent flaw finders $8,000 for each remotely exploitable flaw found in Microsoft's Windows Vista or Internet Explorer 7.

"Both Microsoft Internet Explorer and Microsoft Windows dominate their respective markets, and it is not surprising that the decision to update to the current release of Internet Explorer 7.0 and/or Windows Vista is fraught with uncertainty," the company said in the statement announcing the program. "Primary in the minds of IT security professionals is the question of vulnerabilities that may be present in these two groundbreaking products."

Anyone ?

Linux is Everywhere!

"FSMLabs (http://www.fsmlabs.com) announced today that its flagship RTLinux real-time software is now being used in Cablecam flying cameras used to film NFL and other sporting events. Cablecam is a provider of footage for NFL and NCAA football games as well as for the motion picture industry."

“Flying expensive cameras 12-50 feet in the air above football stars on live TV is a mission critical application” explained Cablecam founder Jim Rudnusky. “RTLinux was chosen for its reliability: it keeps personnel safe and ensures that the camera keeps flying when the game is on the air. The deterministic timing available from RTLinux is crucial to achieving smooth motor motion at high torque. The Cablecam application could not be achieved by anything less than a hard real-time OS.”

Full story can be read here.

So, starts the FSMLab newsletter I'm used to receive monthly. Reading the news in that letter was no surprise to me. I have worked with Linux for 14 (fourteen) years and, I have taken part in many interesting projects with Linux, from big to very small devices.Watching Linux reaching mission critical devices, such as NASA rover on Mars (http://searchopensource.techtarget.com/originalContent/0,289142,sid39_gci1157697,00.html), gives me satisfaction and a feeling of accomplishment by taking part of the open source community.